I'm using APF and BFD to automate IP banning when the number of failed login attempts has been reached but I'm perplexed as to why it would allow 1,330 attempts from one IP before executing an apf -d.

I don't know about you guys but the attacks have really stepped up in the past 10-15 days. I get anywhere from 25-60 attack notifications per day now.

Is there any way to set limit the number of login failures to say 3 before dropping packets from that IP? I don't see that option in the bfd.conf file.

Thanks,
Michael

You could just change the cron so it runs more often and will catch those quicker. I think the default is 10 minutes.
After changing my SSH port, I have not had a BF attempt in two weeks.

You could just change the cron so it runs more often and will catch those quicker. I think the default is 10 minutes.
After changing my SSH port, I have not had a BF attempt in two weeks.

I think the cron just sets the interval to e-mail the alert out. From /etc/cron.d/bfd:

MAILTO=
SHELL=/bin/sh
7,17,27,37,47,57 * * * * root /usr/local/sbin/bfd -q


but changing the ssh port is a good idea.

Nope, BornOnline is correct; if you want it to ban the attempts quicker, you need to increase the number of times the crontask runs. The mailto line is just cron mail notification and has nothing to do with BFDs built in e-mail notification. =)

Beware that we periodically stagger the cron jobs for things like bfd so everyone isn't runnign them at the same time (notice his are not on a 0 or 5 minute boundry).

So if you intend to increase the frequency, I suggest

1. keep it off 0 or 5 minute marks
2. call bfd from a wrapper script so that our automated staggering ignores it.

hth
charles

Beware that we periodically stagger the cron jobs for things like bfd so everyone isn't runnign them at the same time (notice his are not on a 0 or 5 minute boundry).

So if you intend to increase the frequency, I suggest

1. keep it off 0 or 5 minute marks
2. call bfd from a wrapper script so that our automated staggering ignores it.

hth
charles

Thanks for the tip Charles and I think I'll leave it at 10 minutes for now. It does seem kind of pointless though to leave a potential 10 minute window for a brute force attack to be successful. I'm also wondering what kind of resource strain the constant attempts are having on my server.

I am unsure which would be worse, the load caused by the attempts, or the increased processing. You could try it and see.

I am personally in favor of a cooperative mechanism (opt-in) whereby we scan the logs for all participating VPS from the VPS server, and then ban from all participating VPS (perhaps across servers even) when they are detected. This scan could be done much more frequently since it would only be done once for all VPS.

There are downsides to this approach (like a false hit affecting others), but I think if done correctly this could cut down on a lot of this stuff.

So much to do, so little time...

charles

I just had an IP today try 4,810 times to login as root. That has to affect system performance...

Wow, I havnt gotten that many ssh root attempts. the collab idea seems good but how about adding to VPS that want it via APF or Snort rules? Installing Snort standard on new VPS and old ones that request it.

I am unsure which would be worse, the load caused by the attempts, or the increased processing. You could try it and see.

I am personally in favor of a cooperative mechanism (opt-in) whereby we scan the logs for all participating VPS from the VPS server, and then ban from all participating VPS (perhaps across servers even) when they are detected. This scan could be done much more frequently since it would only be done once for all VPS.

There are downsides to this approach (like a false hit affecting others), but I think if done correctly this could cut down on a lot of this stuff.

So much to do, so little time...

charles
I'd be in.

BFD should have caught that long before 4k attempts. capnqwest, please email support and ask them to check your settings.

charles

You might try the technique I found here. Using it nobody will even know you are running ssh.

http://forums.deftechgroup.com/showthread.php?t=26#post3260

BFD should have caught that long before 4k attempts. capnqwest, please email support and ask them to check your settings.

charles

Charles, doesn't it depend on the cron interval (10 mins) before the apf-d is executed. Brutus or John the Ripper could easily try that many times in 10 mins. I'll still open a ticket.

Charles, doesn't it depend on the cron interval (10 mins) before the apf-d is executed. Brutus or John the Ripper could easily try that many times in 10 mins. I'll still open a ticket.

Yes it does. You usually dont see that many attempts in one pass though.

charles